XTB is an online brokerage platform offering trading services of various financial instruments to individual and professional clients. The industry of investing is split between customers who seek advice from a professional expert to make sound decisions and those who leverage instant reaction to the changing market and these are our clients. Speed is at the heart of our business, forcing us to keep our tech at cutting edge levels.
Aleksander Moykowski, their Chief Compliance Officer, joined us to talk about best practices for data protection, and he did so in a truly “zeitgeisty” spirit – coming out of a cold.
Alek: I feel alright now, thanks, in fact I was well enough to manage to help my company transfer to fully remote work mode over the past 2 weeks, taking over the entire Polish financial sector, where companies are able to reach usually around 30% of home office ratio tops. It was not easy, but it’s a matter of organizational maturity and only possible thanks to our proactive past investments into specific solutions and digital infrastructure.
2ndlock: That’s amazing, congratulations! Tell us more about your journey to get to this point.
A: The whole financial sector is extremely sensitive when it comes to data protection. Large amount of various data types are heavily regulated in EU and fines for non-compliance can have severe consequences. Our risk management policy is to keep our standards way above of what’s required.
2L: Aside from GDPR and trade secrets – what type of sensitive data would you point out.
A: Personal data is not the only one a company needs to protect; you also need to protect data that reflects behaviours of your customers, which is more related to the operations of your company. In our case these behaviours can be investment patterns, referring both to specific customers, but also – anonymized events. Let’s say we have an 10 000 individuals buying certain stock on a certain day. It no longer matters whether it was John Smith or Ben Taylor purchasing one of those – it’s this whole event that is significant to that specific handling agency. Such information is very sensitive and protected by the law. Most common trade secrets in other sectors are: intellectual property, client base, terms and conditions of their partnerships, strategies, or simply know-how – the intangible assets that keep the company competitive.
2L: Corporate compliance positions have been booming ever since GDPR, but not every company can afford such FTE …
A: So many companies did and some still do underrate the importance of both Compliance and Security Officer. The first one is responsible for legal, and other for technical implementations. The surge in demand has been really high though. Few years ago there was a from a single job opening for a Compliance Officer once every couple months a few years ago, we now see teens of new openings every week! We have been seeing first fines in EU, even in Poland, and these can get up to as much as hundreds of millions of Euros. Depending on the volume of data transfers and the following liability of a company – it’s the quick risk management calculation of when to hire such experts. A great alternative is to outsource – getting in touch with specialized consultancies, who are helpful in mapping out processes and advising tailored solutions. Every company has pretty individual needs, so it’s difficult to come up with a universal matrix.
2L: What are the basics of data protection management?
A: It’s quite difficult to order a system by the source of data – even if we can easily define data that came from outside – it can quickly get processed internally and the line about it’s source becomes blurry. It’s more common to split it by the type of risk, and here we identify 2: data breach, where someone intentionally tried to steal our data; second: data leak – where it was the company that exposed its data beyond the desired environment. First one is mostly a domain of an IT system in place, second is more influenced by people in the organization.
Unfortunately both are almost impossible to fully avoid, as each system has its limits, so it is all about adding new, sometimes overlapping solutions to the IT systems, as well as through training employees with clear instruction and advice. Here the rule of thumb is that your system is only as strong as its weakest link, so regular, clear and actionable communication is key.
2L: That’s a great tip, but what specific, actionable advice could you give to our readers today?
A: There are 3 major areas in data protection – IT security, physical security, as well as working culture. This would be the first step to map out status quo and address its main points:
- IT security:
- Software: Make sure your employees are equipped with antiviral software, fire-walls, and have encryption regimes on the other.
- BYOD (bring your own device) policy – very few companies have BYOD policy, that is definitely a major advantage in conditions we are witnessing today. Alternative can be encrypted company laptops.
- VPN (virtual private network) – this would be the best tool. I definitely recommend it, especially the option with the remote desktop mode, that keeps employees work entirely within the company’s enviroment, preventing any possible contamination from unsecured third devices or networks. The main barrier for this solution is that it requires a very powerful server & huge computing power → expensive.
- Physical security:
- IT Infrastructure: where are your working harddrives located? Are they all stationery and connected solely to your private servers, or do you have employees using laptops, and if so – are they encrypted? What is your USB stick policy? Do your machines have USB ports – if not it is likely other devices will be introduced to facilitate saving data to external drives. Are these encrypted?
- Premises: is your office properly secured against a break in? Do you control individual access of employees to specific areas?
- Business continuity plan: have you prepared action plan for different scenarios of unlikely events and how your business would continue to operate under such conditions? This is often neglected or unheard of by SMEs, but can be a real life saver. Examples range from massive power outage, break-in, flooding of a building, or a major image crisis. I admit I’ve never seen a global pandemic scenario…
2L : Hence our conversation:) So what would you advise as precautionary measures in remote work scenarios. Are there any dangers arising from employees suddenly using unauthorized networks or devices, etc.?
A: Indeed! This brings us ot the third point:
- Working culture policy – especially relevant to remote work!:
- Data transfers: don’t transfer confidential data out of work-approved devices, be it in form of a print out or taking photos of a screen (that can be the case when some VPNs will block a print screen option), don’t send it over to other devices.
- Private working area – limiting access to both documents, as well as conference calls. Some of us might have spouses working for competition, our children are also not an ideal audience for confidential business conversations.
- Passwords – change them frequently, both on your devices, accounts, as well as the wifi!
- Block inputs and outputs, such as additional screens and cameras on your device – both carry risk of unintended exposure.
- Don’t use unauthorised communication apps to exchange working documents with your colleagues. Even ones that claim to encrypt your messages are not 100% reliable from a data protection policy point of view.
- Beware of phishing. We are already seeing cases of malicious parties calling employees claiming to be IT admin panels to extort passwords. Working from home can make it tricky to distinguish between our professional and private selves, and as private people – we largely underestimate the importance of privacy online. Attackers know it and take advantage of it! We’ve already heard of cases of cyber criminals calling employees as IT Admins, trying to extort passwords.
This is not a comprehensive list, but should be helpful to run a quick sanity check in these hectic days.